Since GDPR’s implementation a year ago, a lot has changed in the world of data privacy – with some changes that were expected, some not.
GDPR has reinvigorated companies’ efforts to ensure personal information is protected and handled properly. It drove corporate transparency around how personal data is being used. The regulation empowered consumers to demand more in the way of privacy protection. Finally, GDPR has catalyzed international dialog around the need for a global standard. However, despite all the efforts companies have made to better secure personal data in response to GDPR, there is little evidence that GDPR has played a role in reducing the number of data breaches.
Organizations worked to optimize security in preparation for GDPR. However, security optimization has been a continuous effort for most organizations long before this regulation was introduced. Yet we continue to see studies indicating increases in the number of data breaches and volume of personal data exposed. There are several reports circulating with widely varying claims. What industry experts do agree on is that the number of cyber attacks continue to increase in volume and sophistication. So, it is not unreasonable to assert that we have not yet turned the tide on data breaches.
The 2018 BDO Cyber Governance Survey shows that the number of cyber attacks increased significantly in 2018, including a 250 percent increase in business email compromise (spoofing) attacks and a 70 percent increase in spear-phishing attacks. Identity intelligence company, 4IQ, reported that 2018 saw a 424 percent increase in data breaches compared with 2017 with 14.9 billion identity records circulating in underground communities – a 71 percent increase over 2017. In the U.S., the Identity Theft Resource Center announced that the amount of exposed personally identify information increased 126 percent in 2018, even though data breaches, by their count, were down 23 percent. The organization makes a compelling case, that because companies are creating more and bigger repositories of personal data both on premises and in the cloud, the attackers’ jobs became easier.
These statistics paint a clear picture. While GDPR gives consumers some power over how their data is used, it will take more work to reverse the trend on data breaches. The threat of huge fines is obviously compelling, but regulatory authorities in Europe have been flooded with over 59,000 breach reports, according to DLA Piper. How can one expect those agencies to comprehensively enforce GDPR security mandates? Yet, despite the practical limitations of GDPR, companies will continue to work toward a more mature state of GDPR compliance and continually improve their security posture. It’s the right thing to do, and it’s good for business. So, with that in mind, where should companies focus their efforts in year two?
Last year, many companies scrambled to meet the deadline by focusing – understandably – on structured systems, such as CRMs. Much of their data inventory processes consisted of pen and paper exercises, and they used several disparate tools to accomplish different tasks. They made it through 2018, but they have a long way to go to extend compliance measures across their data universe.
Priorities this year should include extending GDPR compliance operations to unstructured data, as well as minimizing reliance on niche tools to avoid creating data silos and expanding risk footprint. Adopting a comprehensive data protection and management solution will allow organizations to consolidate a number of key operations, such as data mapping, information risk remediation, lifecycle management, backup and recovery, as well as provisioning and orchestration for dev/test and analytics projects.
In addition, this approach can create a centralized intelligence hub that provides a more efficient means of gaining visibility into and control over sensitive data “in the wild”, while enabling active management of all critical data sources. Such an approach can help organizations address the persistent challenges identified in the Cisco Data Privacy Benchmark Study. These challenges include accelerating discovery for data subject requests, improving data mapping, enforcing privacy-by-design processes, identifying employees who need further training, as well as optimizing data minimization and content-aware data management to facilitate better security planning and prioritization.
While privacy legislation will not magically make personal data safer, GDPR has put personal privacy and corporate trust front and center. Debates will continue over establishing a global privacy treaty, the impacts on small and medium businesses, and using antitrust as a tool to augment legislative efforts. However, the collection and use of personal data is a pillar of the 21st century economy and companies need to reconcile their use of personal data to deliver value with consumers’ demands that their data be protected and not misused. If companies hope to maintain trust, they need to find practical ways to minimize risk, respond rapidly to data subject requests and optimize security and operational resilience. They must redouble their efforts in year two of the GDPR era while recognizing that privacy protection is not a destination, it’s a journey.